sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Respect user enumeration settings on profile 

Signed-off-by: Christopher Ng <chrng8@gmail.com>
pull/29559/head
Christopher Ng 2021-11-05 01:42:44 +07:00
parent 6d5f10eb57
commit f4307ef4b1
1 changed files with 58 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
core/Controller/ProfilePageController.php
Unescape Escape View File

@ -26,14 +26,17 @@ declare(strict_types=1);
namespace OC\Core\Controller;
use OC\KnownUser\KnownUserService;
use OC\Profile\ProfileManager;
use OCP\Accounts\IAccountManager;
use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\TemplateResponse;
use OCP\AppFramework\Services\IInitialState;
use OCP\IGroupManager;
use OCP\IRequest;
use OCP\IUserManager;
use OCP\IUserSession;
use OC\Profile\ProfileManager;
use OCP\Share\IManager as IShareManager;
use OCP\UserStatus\IManager as IUserStatusManager;
class ProfilePageController extends Controller {
@ -48,6 +51,15 @@ class ProfilePageController extends Controller {
/** @var ProfileManager */
private $profileManager;
/** @var IShareManager */
private $shareManager;
/** @var IGroupManager */
private $groupManager;
/** @var KnownUserService */
private $knownUserService;
/** @var IUserManager */
private $userManager;
@ -63,6 +75,9 @@ class ProfilePageController extends Controller {
IInitialState $initialStateService,
IAccountManager $accountManager,
ProfileManager $profileManager,
IShareManager $shareManager,
IGroupManager $groupManager,
KnownUserService $knownUserService,
IUserManager $userManager,
IUserSession $userSession,
IUserStatusManager $userStatusManager
@ -71,6 +86,9 @@ class ProfilePageController extends Controller {
$this->initialStateService = $initialStateService;
$this->accountManager = $accountManager;
$this->profileManager = $profileManager;
$this->shareManager = $shareManager;
$this->groupManager = $groupManager;
$this->knownUserService = $knownUserService;
$this->userManager = $userManager;
$this->userSession = $userSession;
$this->userStatusManager = $userStatusManager;
@ -83,13 +101,15 @@ class ProfilePageController extends Controller {
* @NoSubAdminRequired
*/
public function index(string $targetUserId): TemplateResponse {
$profileNotFoundTemplate = new TemplateResponse(
'core',
'404-profile',
[],
TemplateResponse::RENDER_AS_GUEST,
);
if (!$this->userManager->userExists($targetUserId)) {
return new TemplateResponse(
'core',
'404-profile',
[],
TemplateResponse::RENDER_AS_GUEST,
);
return $profileNotFoundTemplate;
}
$visitingUser = $this->userSession->getUser();
@ -97,12 +117,37 @@ class ProfilePageController extends Controller {
$targetAccount = $this->accountManager->getAccount($targetUser);
if (!$this->isProfileEnabled($targetAccount)) {
return new TemplateResponse(
'core',
'404-profile',
[],
TemplateResponse::RENDER_AS_GUEST,
);
return $profileNotFoundTemplate;
}
// Run user enumeration checks only if viewing another user's profile
if ($targetUser !== $visitingUser) {
if ($this->shareManager->allowEnumerationFullMatch()) {
// Full id match is allowed
} elseif (!$this->shareManager->allowEnumeration()) {
return $profileNotFoundTemplate;
} else {
if ($this->shareManager->limitEnumerationToGroups() || $this->shareManager->limitEnumerationToPhone()) {
$targerUserGroupIds = $this->groupManager->getUserGroupIds($targetUser);
$visitingUserGroupIds = $this->groupManager->getUserGroupIds($visitingUser);
if ($this->shareManager->limitEnumerationToGroups() && $this->shareManager->limitEnumerationToPhone()) {
if (
empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))
&& !$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())
) {
return $profileNotFoundTemplate;
}
} elseif ($this->shareManager->limitEnumerationToGroups()) {
if (empty(array_intersect($targerUserGroupIds, $visitingUserGroupIds))) {
return $profileNotFoundTemplate;
}
} elseif ($this->shareManager->limitEnumerationToPhone()) {
if (!$this->knownUserService->isKnownToUser($targetUser->getUID(), $visitingUser->getUID())) {
return $profileNotFoundTemplate;
}
}
}
}
}
$userStatuses = $this->userStatusManager->getUserStatuses([$targetUserId]);